Enhancing Security of Linux-based Android Devices Aubrey-Derrick - - PowerPoint PPT Presentation

enhancing security of linux based android devices
SMART_READER_LITE
LIVE PREVIEW

Enhancing Security of Linux-based Android Devices Aubrey-Derrick - - PowerPoint PPT Presentation

Dec 23, 2023 97 likes •438 views

Enhancing Security of Linux-based Android Devices Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Jan Clausen, Kamer Ali Yksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak This work was funded by Deutsche Telekom Laboratories

slide-1
SLIDE 1

Enhancing Security of Linux-based Android Devices

Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Jan Clausen, Kamer Ali Yüksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak

This work was funded by Deutsche Telekom Laboratories

slide-2
SLIDE 2

07.11.2007 CC SEC Folie 2

www.DAI-Labor.de

  • Research Institute with ~100 employees
  • Six core departments:
  • Agent Core Technologies
  • Next Generation Services
  • Information Retrieval
  • Cognitive Architectures
  • Education
  • Security
slide-3
SLIDE 3

07.11.2007 CC SEC Folie 3

DAI-Labor Security Department

  • Works on:
  • Smartphone Security
  • Agent Security
  • Network Security Simulation
  • Critical Infrastructures
  • PKI / Cryptography
  • Next Generation Homes - Security
slide-4
SLIDE 4

07.11.2007 CC SEC Folie 4

TOC

  • Motivation
  • Android Security
  • Adding Linux Security Tools to Android
  • Enhancing Security with self-built IDS
slide-5
SLIDE 5

07.11.2007 CC SEC Folie 5

Motivation

  • Smartphones getting increasingly popular
  • Various smartphone malwares appeared
  • Signature-based approaches only efficient for

“known” malware

  • Anti-Virus engines need avg. time of 48 days to

get capable of detecting new malware [Oberheide08]

  • More than 700,000 can be infected via MMS in

about three hours [Bulygin07]

slide-6
SLIDE 6

07.11.2007 CC SEC Folie 6

Motivation

  • Android already very popular (Java on

Linux)

  • Android sources will be set open-source
  • Opportunity to develop low-level security tools

for commonly used smartphones the first time

  • Linux security research is mature
  • A lot lessons learned
  • A lot of open source tools available
slide-7
SLIDE 7

07.11.2007 CC SEC Folie 7

TOC

  • Motivation
  • Android Security
  • Adding Linux Security Tools to Android
  • Enhancing Security with self-built IDS
slide-8
SLIDE 8

07.11.2007 CC SEC Folie 8

Android Security

  • Images on emulator
  • System Image (YAFFS2, 65 MB / 21 MB free)
  • Mounted to /system
  • OS files, libraries, drivers, system bins
  • Android config files
  • Android framework
  • Android base applications (e.g. Browser)
  • +R(W)X
slide-9
SLIDE 9

07.11.2007 CC SEC Folie 9

Android Security

  • Images on emulator
  • Userdata Image (YAFFS2, 65 MB / 40 MB free)
  • Mounted to /data
  • Used for applications, user data, DRM, ...
  • +RWX
  • Cache Image (YAFFS2, usage not specified yet)
  • SD-Card Image (no “obvious” size limitations)
  • Mounted to /sdcard
  • Files created as user and group “system”
  • +RW
slide-10
SLIDE 10

07.11.2007 CC SEC Folie 10

Android Security

  • Applications are “location-aware”
  • Can only be executed in /data or /system
  • Any changes on file permissions succeed there
  • Changes in e.g. /sdcard do not succeed (e.g.

set execute bit)

  • Most probably, (Linux) applications cannot be

started via SD-Card

slide-11
SLIDE 11

07.11.2007 CC SEC Folie 11

Android Security

  • (Java) Application signing is required
  • Linux state not clear
  • developer signs his application with own

certificate at the moment

  • System might change to something similar to

Symbian OS

  • Central authority for assigning certificates
  • Limited access to APIs
  • Each, Goole and T-Mobile announced application store

(might include application testing and verification)

slide-12
SLIDE 12

07.11.2007 CC SEC Folie 12

Android Security

  • File rights:
  • /data/data/<package.application_name>
  • “application land”
  • drwxr-xr-x app_14 app_14 2008-09-17 14:26 com.android.sample
  • Application can access other application

directories signed with identical certificates

  • “Certification land”
slide-13
SLIDE 13

07.11.2007 CC SEC Folie 13

TOC

  • Motivation
  • Android Security
  • Adding Linux Security Tools to Android
  • Enhancing Security with self-built IDS
slide-14
SLIDE 14

07.11.2007 CC SEC Folie 14

Adding Linux Security Tools to Android General Information

  • Emulator is used as basis
  • OHA/Google modified a lot of standard libraries

and binaries

  • Reason: opportunity for business costumers to

claim “intellectual property”

  • Application space is limited (~40 MB)
  • Common security tools were tested
  • But: special build environment needed
slide-15
SLIDE 15

07.11.2007 CC SEC Folie 15

Creating a Build Environment for Android

  • Ubuntu 8.04
  • Two toolkits can be used
  • Sourcery cross-compile toolchain
  • Scratchbox cross-compilation toolkit
  • Emulated ARM environment
  • “Common” Linux file system layout
slide-16
SLIDE 16

07.11.2007 CC SEC Folie 16

Creating a Build Environment for Android Important Facts

  • Files are located in:
  • System files are placed in /system
  • Binaries in /system/bin
  • Libraries in /system/lib
  • Config files in /system/etc
  • System configuration in OpenBinder
  • Page alignment causes changes in linking
  • Only way to get available applications run is

compiling them statically

slide-17
SLIDE 17

07.11.2007 CC SEC Folie 17

Adding Tools

  • “Top 100 Network Security Tools” [Insec06]
  • Tested from 5 main categories:
  • Anti-Virus: ClamAV
  • Firewall: iptables
  • Rootkit Detectors: chkrootkit
  • Intrusion Detection: Snort
  • Other useful tools: Busybox, Bash, OpenSSH,

strace, Nmap

slide-18
SLIDE 18

07.11.2007 CC SEC Folie 18

Anti-Virus: ClamAV

  • Android Compatibility: Works
  • Problems, solutions, and size:
  • Static compilation (linking) required
  • Dependent on static compiled version of "zlib"

(zlib-1.2.3)

  • Total size of all ClamAV relevant files (approx. 28MB)

exceeds available size in System image

  • (21MB). ClamAV virus signature database needs to be

placed in a different location.

  • Size (approx.): 11140 KB libraries and binaries (/opt),

17324 KB database (/data)

slide-19
SLIDE 19

07.11.2007 CC SEC Folie 19

Anti-Virus: ClamAV Results

  • ---------- SCAN SUMMARY -----------

Known viruses: 407205 Engine version: 0.94 Scanned directories: 0 Scanned files: 106 Infected files: 0 Data scanned: 5.12 MB Time: 107.236 sec (1 m 47 s) #

slide-20
SLIDE 20

07.11.2007 CC SEC Folie 20

Firewall: iptables

  • Problems:
  • Kernel needs to be recompiled from source.

Sources can be freely downloaded from Android Project website. Enable NETFILTER in kernel configuration and recompile!

  • “iptables” cannot be compiled due to linker

issues: It requires statically compiled parts of libc which Android does not provide.

slide-21
SLIDE 21

07.11.2007 CC SEC Folie 21

Rootkit Detector: Chkrootkit

  • Android Compatibility: Works with minor

dependencies

  • Problems, solutions, and size:
  • Static compilation (linking) required
  • Requires "netstat" (provided by "busybox")
  • Requires standard directories (/lib, /etc, etc.)

provided by symbolic links pointing to the correct Android directories

  • Size (approx.): 588 KB
slide-22
SLIDE 22

07.11.2007 CC SEC Folie 22

Rootkit Detector: Chkrootkit Results

# ./chkrootkit [: gid: unknown operand ROOTDIR is `/' Checking `amd'... not found Checking `basename'... INFECTED Checking `biff'... not found Checking `cron'... not infected Checking `echo'... INFECTED Checking `egrep'... not infected Checking `env'... INFECTED Checking `find'... not infected Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... find: /var/tmp: No such file or directory nothing found Searching for anomalies in shell history files... nothing found chkproc: Warning: Possible LKM Trojan installed chkdirs: Warning: Possible LKM Trojan installed Checking `sniffer'... ./chkrootkit: ./ifpromisc: not found

slide-23
SLIDE 23

07.11.2007 CC SEC Folie 23

Intrusion Detection: Snort

  • Problems:
  • Dependencies to libpcap, libdnet, libnet, pcre

and iptables (all as statically compiled/linked solutions)

  • Requires statically compiled/linked libc parts

which are not available on Android

slide-24
SLIDE 24

07.11.2007 CC SEC Folie 24

Other Useful Tools: Busybox, Bash, OpenSSH, strace, Nmap

  • Busybox: works
  • Bash: works
  • OpenSSH: Can be executed but is not fully

functional (requires users that do not exist in the android environment)

  • strace: works
  • Nmap: works with minor dependencies
slide-25
SLIDE 25

07.11.2007 CC SEC Folie 25

TOC

  • Motivation
  • Android Security
  • Adding Linux Security Tools to Android
  • Enhancing Security with self-built IDS
slide-26
SLIDE 26

07.11.2007 CC SEC Folie 26

Enhancing Security with a Self-built Intrusion Detection System

slide-27
SLIDE 27

07.11.2007 CC SEC Folie 27

Detecting Intrusions and Malware Overview

slide-28
SLIDE 28

07.11.2007 CC SEC Folie 28

Detecting Intrusions and Malware Static Function Call Approach

  • Planned to present metric for weighing

suspiciousness of function/system calls

  • Solution far more easier on Android
  • Simple decision tree can achieve 95%

detection rate

  • Tested with Linux malware
  • Some of them were recompiled for Android, but only

minor differences

  • Still has to be tested on real device!
slide-29
SLIDE 29

07.11.2007 CC SEC Folie 29

Detecting Intrusions and Malware Static Function Decision Tree

__bss_start = y | gethostbyname = y | | sigaction = y: normal | | sigaction = n: malicious | gethostbyname = n | | fork = y | | | strerror = y | | | | getgrgid = y: malicious | | | | getgrgid = n: normal | | | strerror = n: malicious | | fork = n: normal

continued on the right side

... continued __bss_start = n | printf = y: malicious | printf = n | | fprintf = y: malicious | | fprintf = n | | | execv = y: malicious | | | execv = n | | | | memmove = y: malicious | | | | memmove = n | | | | | perror = y: malicious | | | | | perror = n: malicious

slide-30
SLIDE 30

07.11.2007 CC SEC Folie 30

Summary

  • Android Security
  • How to enhance security
  • Add Linux security tools
  • Light weight IDS
slide-31
SLIDE 31

07.11.2007 CC SEC Folie 31

References

  • [Bulygin07] Y. Bulygin, “Epidemics of mobile worms,” in Proceedings of the

26th IEEE International Performance Computing and Communications Conference, IPCCC 2007, April 11-13, 2007, New Orleans, Louisiana, USA. IEEE Computer Society, 2007, pp. 475–478.

  • [Oberheide08] J. Oberheide, E. Cooke, and F. Jahanian, “Cloudav: N-version

antivirus in the network cloud,” in Proceedings of the 17th USENIX Security Symposium (Security’08), San Jose, CA, July 2008.

  • [Insec06] INSECURE.ORG, “Top 100 network security tools,” 2006. [Online].

Available: http://sectools.org/

slide-32
SLIDE 32

07.11.2007 CC SEC Folie 32

Thank you for your patience! Q&A

slide-33
SLIDE 33

07.11.2007 CC SEC Folie 33

Dipl.-Inf. Aubrey-Derrick Schmidt

Researcher

+49 (0) 30 / 314 – 74 039 +49 (0) 30 / 314 – 74 003

aubrey.schmidt@dai-labor.de

Contact

Hans-Gunther Schmidt

Student Researcher

+49 (0) 30 / 314 – 74 041 +49 (0) 30 / 314 – 74 003

hans-gunther.schmidt@dai-labor.de